mysql_real_escape_string VS 加斜杠 [英] mysql_real_escape_string VS addslashes

问题描述

有人可以从 PHP 手册中阐明这两个函数之间的区别吗:

Can someone shed some light on the differences between these 2 functions, from the PHP manual:

添加斜线:返回需要在数据库查询等中引用的字符前带有反斜杠的字符串.这些字符是单引号 (')、双引号 (")、反斜杠 () 和 NUL(NULL 字节).

addslashes: Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

mysql_real_escape_string:mysql_real_escape_string() 调用 MySQL 的库函数 mysql_real_escape_string，它在以下字符前加上反斜杠:\x00、\n、\r、 、'、"和\x1a.

mysql_real_escape_string: mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, , ', " and \x1a.

据我所知，主要区别是 \x00, \n \r \x1a 其中 addslashes 没有转义，你能告诉我这有什么意义吗?

From what I gather the major difference is \x00, \n \r \x1a which addslashes doesn't escape, can you tell me what the significance of that is?

推荐答案

你引用的内容可能来自文档，但据我所知不一定是真的.

What you quote is probably from the doc, but as far as I know it's not necessarily true.

addslashes 为通常令人不安的字符添加斜线.mysql_real_escape_string 转义 MySQL 需要转义的任何内容.这可能比 addslashes 处理的字符多或少.

addslashes adds slashes to characters that are commonly disturbing. mysql_real_escape_string escapes whatever MySQL needs to be escaped. This may be more or less characters than what addslashes takes care of.

此外，mysql_real_escape_string 不一定会添加斜杠来转义.虽然我认为如果你这样做的话它会起作用，但最近版本的 MySQL 通过将其中的两个放在一起而不是在它前面放一个斜杠来转义引号.

Also, mysql_real_escape_string will not necessarily add slashes to escape. While I think it works if you do it that way, recent versions of MySQL escape quotes by putting two of them together instead of by putting a slash before it.

我相信您应该始终使用数据提供者的转义函数而不是 addslashes，因为 addslashes 可能会为您使用它的目的做太多或不够.另一方面，mysql_real_escape_string 知道如何准备一个字符串以将其嵌入到查询中.即使关于如何转义内容的规范发生了变化，突然间它不再是您应该使用的反斜杠，您的代码仍然可以工作，因为 mysql_real_escape_string 会意识到这一点.

I believe you should always use your data provider's escape function instead of addslashes, because addslashes may either do too much or not enough work for the purpose you use it. On the other hand, mysql_real_escape_string knows what to do to prepare a string for embedding it in a query. Even if the specs change about how to escape stuff and suddenly it's not backslashes that you should use anymore, your code will still work because mysql_real_escape_string will be aware of it.

这篇关于mysql_real_escape_string VS 加斜杠的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！